ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 475] Add Buffer Size to Capture Preferences window

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 30 Dec 2009 11:36:49 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=475

Guy Harris <guy@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |guy@xxxxxxxxxxxx

--- Comment #6 from Guy Harris <guy@xxxxxxxxxxxx> 2009-12-30 11:36:47 PST ---
You use pcap_set_rfmon() if the user tells you that they want to capture in
"monitor mode".

Note that capturing in "monitor mode" might disassociate you from whatever
network you're on, and might not decrypt any traffic including traffic to and
from your machine.

If pcap_can_set_rfmon() on a created-but-not-yet-activated pcap_t for a given
device returns 1, Wireshark should provide a check box in the capture options
dialog box when that device is in the "Interface:" box, allowing the user to
choose whether to go into monitor mode or not.

On the command line, use "-I" (capital-i) to request monitor mode (that's what
tcpdump 4.0.0 and later use if linked with libpcap 1.0.0 or later).

Note that, on some platforms, you can only get 802.11 headers in monitor mode. 
That's the case in Mac OS X, and sort-of the case on Linux (the behavior is
device-dependent and driver-dependent; with mac80211 drivers, you can only get
radiotap headers in monitor mode, although, if you capture on the right
interface, you can get 802.11 headers out of monitor mode - libpcap doesn't yet
support that, however).  Therefore, if you're using
pcap_create()/pcap_activate(), pcap_list_datalinks() will show you only the
link types available in the mode you've selected - if you haven't selected
monitor mode, you might get only DLT_EN10MB - examples from Mac OS X 10.6
(which comes with libpcap 1.0.0 and tcpdump 4.0.0):

  $ tcpdump -i en1 -L
  Data link types (use option -y to set):
    EN10MB (Ethernet)
  $ tcpdump -i en1 -I -L
  Data link types (use option -y to set):
    IEEE802_11_RADIO (802.11 plus radiotap header)
    IEEE802_11 (802.11)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube